Buffer Overflow Protection

Discussion in 'other security issues & news' started by richrf, May 25, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Looking over the threads on buffer overflow protection and the associated white papers that these threads link to, I have concluded:

    1) Buffer overflows are indeed a serious threat to security that users should be concerned about and,

    2) Buffer overflows are not a threat and users should bit worry about them at all.

    Hmmm ...

    Well, I halve the difference and just be reasonably concerned. :)

    Given that I am reasonably concerned, it appears that buffer overflow attacks are primarily associated with worms. (Correct me if I am wrong). Then, if I have WormGuard and a current, updated version of Windows XP SP2, can I be considered reasonably well protected. Thanks for the help and comments.

    Rich
     
  2. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Been trying to work this one out for myself Rich.

    Btw, by definition, a buffer overflow is exploited by a worm...which is really a trojan that replicates via OS flaws.

    From what I read, there are different sorts of buffer overflows, but the only one I know of...what happens is a program recognises another program interacting with it by it's name, but the programmers only allowed 38 characters for the name...anything after that got injected directly into the running program, and became a part of it...so every time that running program started, so did the worm.....this is one reason why I've never been able to work out if PG protects against this sort of thing - hoping it does.

    Of course having any trojan running it's happy tune inside one of your computers running process is a serious safety breach...thankfully the makers of worms seem to be more interested in DoS attacks etc, than stealing your banking info etc...but that'll change I'm sure.

    PrevX claims to prevent buffer overflows, and I know it certainly does prevent some, but I've also read that it may be impossible to cover all areas where a buffer overflow may occur.

    Not sure how good wormguard is, havent seriously considered using it yet, because I don't download exe's from emails, and the firewall stops port scanner worms.

    Sorry the information isn't more accurate. No one seems to ever write up any guides to these things, the info comes in bits and pieces from everywhere.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might try Attack Shield Worm Supression. Freebie that sits in the background and runs completely transparently. It blocks core system files from running any unusual code, whether by buffer overflow or otherwise.

    Nope, not even the NX feature in the Athalons cover all of them. :/
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Vikorr,

    Thanks for you preliminary analysis. It is very helpful in clarifying some concepts.

    I have read some white papers that analyze buffer overflows, and it seems like there are several avenues of attacks and even the best protection available, StackDefender, apparently does not guard against all types of attacks. However, the white papers that I read are old and the more recent versions of StackDefender may have more muscle.

    With that said, it appears, as always, that it is a better strategy to catch these problems as far upstream as possible. So if worms, by definition, are the initiators of buffer overflow attacks, then it would seem that WormGuard (which I find to be a terrific program) is a very good way to intercept the worms before they can begin doing their work.

    In the past, WormGuard has intercepted potentially problematic scripts that were associated with simple html pages that I accessed via a supposingly harmless Google search (if there is such a thing :) ). From the advice I have received from experts on this forum, it appears that a WormGuard-like product is a good thing to have to close potential holes not covered by ProcessGuard or RegDefend (there are other products that are available both free and paid).

    I am sure we will be hearing other comments on this subject, but thanks for the info so far.

    Cya around,
    Rich
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Notok,

    To the best of your knowledge, does Attack Shield differ from WormGuard in areas that it secures? If so, do you know in which way? Thanks.

    Rich
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hi,
    Could you give a link please?
    I tried a search in google, I get link for sanasecurity, where the product must be paid. And there's download.com link. What do you say?
    Thanks,
    Mrk
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    WormGuard is basically an intelligent script blocker that scans scripts and executables before they are allowed to run. Attack Shield protects 9 system processes from doing anything out of the ordinary. Very different things.. WormGuard is a scanner, Attack Shield is kind of a mix between ProcessGuard and Prevx, just for 9 system processes.
     
  8. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Rich,

    I agree with you that worms should be caught before they install. My question in regards to wormguard has always been 'does it add any more value' to my security measures. I can't quite find the answers I'm looking for in regards to that.

    The main concern for a worm for me, has always been that something would get through my webrowser.

    So say it got past my AV + AT...it would then have to get past PG/PrevX/RD.

    If it has a 'payload' of sub programs/reg changes, one of PG/PX/RD would certainly pick it up. PrevX certainly protects some buffer overflows for me. Worms can't dial in or out of my comp (unless I suppose PG doesn't protect from buffer overflows...which as I said, I can't find an answer to).

    So Wormguard may be going overboard for me, but I can't find a list of 'what wormguard does' to help me decide if its necessary. I know it uses heuristics...but on what ? just on *exe's that you download ? or on webbrowser activities also ? IM's etc <some worms are infecting computers simply through links given out over IM's>
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Saw your sig and implemented all of the mentioned. Some of it I used for a time, some of it was new. Excellent work, dude.
    By the way, I got 2 more questions:

    I downloaded the atws and it says when I start the installation that the program collects personal info. What do they mean? Is this just a one-time collection or do they glean info later on. I doubt it, since then you prolly wouldn't recommend it, but just to be on the safe side.
    Concerning secureIt. I ran it and enabled most of the things. Now, I noticed it offers to disable a variety of services, all of which I have already disabled manually (including remote registry, messenger, unpnp etc..). The options that are given to the user are disable (recommended) and enable (default). Now, does this mean that if I click default, that it will enable a service?
    By the way, messenger is disabled, by default in sp2. So, if I'm already protected and I click default, which in this case is 'enable', will it revert to MY default settings or will it revert to A default setting, which means the messenger will be turned on. And if I click recommented, then it will repeat a procedure I've already done. This could only be semantics, so I'm wondering.
    What is the 'revert' and 'default'? Mine or windows? If windows, then it's not a good idea to revert, cause then many patches I've carefully layered over might come undone. Or am I blubbering needlessly.
    Anyhow, thanks for the info, and the very good hardening advices.
    Cheers,
    Mrk
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Thanks! :) Hopefully the second page gave you something as well :)

    It's just a registration.. I think the main purpose is to sign you up for their update notification, but also includes a little more. Of course, if you're under 13 you can specify that to bypass the registration ;)

    The default it's speaking of is Windows default, SecureIt itself should default to the recommended for all but a couple options (which it explains) Generally speaking, go with the "Recommended" if you're securing, "Default" if you're changing things back to the way they were.

    I would pay more attention to whether it says it's disabling or enabling it. If something is already disabled, it's not going to hurt anything for SecureIt to disable it again.

    Going through the wizard is pretty much a "switch on" "switch off" type of deal, but you can use the uninstaller to revert back to your own changes. You're right, though, the program could use a little polish. Great program, but the wizard annoys me :/

    To bring this back to the topic at hand, I'd say hardening is one of the best things you can do against worms :) Qwik-Fix includes fixes for other programs besides just Windows- mainly AIM right now but more soon, apparently.
     
  12. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Rich

    read the blurb on StackDefender, and it says it protects from Stack buffer overflows.

    PrevX says it protects from Heap AND Stack buffer overflow. Don't know how many different types of overflow there is (or how valid the claim is).
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Vikorr,

    My own feeling (others may look at it differently) is that ProcessGuard, RegDefend, and Prevx probably is enough protection, since a worm that executes on your system, that is up to some malicious no-good, is going to trigger some alert in Prevx or RegDefend.

    The only difference that I can see is that WormGuard (or ActiveShield) will alert further upstream. WormGuard, when the script is first encountered, or Active Shield when the script attempts to use a system service in an abnormal manner (it is not clear exactly what system services Active Shield is monitoring). Actually, it appears that WormGuard would notify first, since it is intercepting the script before it can do anything. So the tripwires would be activated in this sequence, I suspect:

    1) WormGuard,
    2) Active Shield
    3) RegDefend and/or Prevx

    Of course, there is a possibility that the worm could perform its nastiness without triggering either RegDefend or Prevx, (or the AV and firewall) but it would seem that this would be very difficult indeed.

    In my case, I decided to attempt to intercept the worm (or malicious script) as early as possible in the execution stream (before it has a chance to do anything), which is why I have implemented WormGuard. RegDefend then acts as my second line of defense, along with my AV. I am looking into Active Shield, but I wish there was more info on their site. They have about a gillion (that 1 to the 14th power) articles and white papers and they all say exactly the same thing (basically what I described).

    I am sure others may have other strategies or may find some holes in ours.

    Rich
     
  14. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    yup, I understand about intercepting the worm earlier, which is why I'm curious about it...and also because to install apps I need to shut down PG & sometimes suspend PrevX.
     
  15. CN232

    CN232 Guest

    I don't mean to question your knowledge, but I submit this statement is false.

    Buffer overflows though traditionally associated with worms, are not the sole domain of worms. Any form of malware can use buffer overflows to excute unauthorised code to carry out various tasks , it can be a trojan ,a worm, a script etc.

    The 2 main forms are stack buffer overflows and heap buffer overflows. You already know this The former is much easier to pull off and is the focus of many attacks.

    I'm afraid this must be some very specific attack I'm not familar with, it certainly doesn't sound like the common generic explaination of stack buffer overflows.

    In general PG doesnt. You can look at the tests http://kareldjag.over-blog.com/archive-05-2005.html

    In the unix world, people have worked on various ways to stop buffer overflows. Eg randomising the address map layout. Again it won't get all of them. In addition, Windows XP SP2 uses "canary values" which are basically check periodicly to ensure that they are not overwritten, which would be a sign of a buffer overflow.

    A free app was posted here a few weeks ago based on the randomising idea, it seems to work okay, but will confuse other security apps like processguard and app monitoring apps.

    Wormguard doesn't treat the disease. Scripts might be one of the mechanisms to cause buffer overflow attacks occur, but it doesnt directly address the problem.

    The most famous one is http://www.cs.ucsb.edu/~jzhou/security/overflow.html

    It's difficult for non-programmers to grasp the concept of buffer overflows since they don't really understand what a stack , or a buffer is. I had a friend who is an expert in this area (he has studied under some of the best), try to explain it to me several times, I got the general idea, but I figure he was simplfying a LOT!
     
  16. Cluessnewbie

    Cluessnewbie Guest

    I'm afraid, that buffer overflows are not the sole domain of worms. Any program you run can cause a buffer overflow.

    If you understand how Prevx or Regdefend work (Prevx basicly monitors a few registry keys+file areas commonly targetted by worms), coupled with a basic understanding of buffer overflows, you will see that buffer overflows by itself should not be blocked by either. Ofcourse, Prevx claims to block bufferoverflow attacks, but without more details .....

    One thing to note, often the effectiveness cannot be merely measured by how early it alerts. More important is that it alerts on the right thing. WG is effective against worms (some of which use bufferoverflows), but it doesn't do a thing against a trojan which does a buffer overflow attack. As such WG addresses the problem indirectly at best. Of course, you can say KAV would detect the trojan, but we are clearly assuming signature based approaches fail already, otherwise this discussion is moot, and we might as well just run KAV and ditch the rest.

    Activesheild seems to directly block attempts to carry out Buffer overflow attacks on the critical window services that most worms go for. Is it a complete defense? Of course not, any other programs you run can also fall prey to a buffer overflow attack, so keep all your apps updated

    For sure it would be possible for a malware to execute a buffer overflow without alerting regdefend. Bufferoverflow attacks do not need to use the registry. Regdefend is good, but only effective against malware that needs to autostart, but i can imagine a oneoff attack that doesn't attempt to autostart.

    As for fooling AV, we are clearly assuming it can, otherwise why borther with proactive measures beyond signatures? Firewalls? Pretty much a joke really.

    I would say that it would be a big mistake to assume that only worms use bufferoverflow attacks. If you are worried only about worms, I would agree you and most people are pretty much protected by AVs+ some kind of sandbox program.

    But if you are worried about buffer overflow attacks in general, anti-worm defenses aren't the answer.

    I am sure others may have other strategies or may find some holes in ours.

    Rich[/QUOTE]
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi cluessnewbie,

    Thanks for the clarification.

    Looking at potential points of attacks, it would appear that WormGuard (anti-worms/scripts) together with ProcessGuard (anti-trojans), should intercept the different types of programs that could invoke buffer overflow attacks. I am talking theoretically. If there are holes, then hopefully the AV, AT, RegDefend and/or Prevx might provide sturdy extra lines of defenses.

    However, there is always the possibility there is a straight-line of attack that would penetrate right through all of the defenses and cause some real problems. That is what I think Vikorr and I are attempting to better understand. We are not looking for one product to do everything, rather is there an obvious "buffer flow" weakness in a layered defense that consists of a firewall, top-rated AV/AT/AS, ProcessGuard, WormGuard, RegDefend/Prevx?

    It would seem like a piece of malware would really have to try hard to squirm its way through and initiate an undetected buffer overflow. However, there is an obvious line of attack (one that does not require a worm or trojan to get through all of the defenses), then possibly a product such as Active Shield makes sense. But then one also has to ask oneself, "at what point is enough, enough?" :)

    So with this in mind, the question is: "Is a basic combination of AV/AT, ProcessGuard, WormGuard, RegDefend/Prevx sufficient to head off any real buffer flow nastiness that might be caused by known malware attack mechanisms?" My primary aim is to stop attacks as early in the "executable stream" as possible. That is to catch the malware, before it can make use of a buffer overflow. If this is not possible then possibly Stack Defender or Active Shield are products to look at. My gut feel is that it is probably not necessary to look specifically at the buffer overflow problem, if adequate preventative measures are in place, but I am certainly open to comments.

    Rich
     
    Last edited: May 25, 2005
  18. CN232

    CN232 Guest

    Of course we are talking of pocs.

    A straight line attack would go as follow. Someone posts some free security app that claims to stop all buffer overflow, or perhaps systinternal posts one and it is later changed to a trojanised copy.

    The attacker, has carefully tested this trojan with all the known anti-trojan and anti-av apps popular with the security testing home crowd (ie you and me), and has ensured it's not detected.

    In the readme, it carefully states that for this app to work in real time, it needs to be installed as a driver, because it uses some kernel based code (or some other techno babble), also for obvious reasons global hooks are needed.

    You decide to download it and install it. KAV doesn't detect it, so it's down to Proccessguard and regdefend. You certainly arent going to use PG to block this new "security app" so it installs. If you block it from installing as a driver, a big error message will popup. Regdefend won't make a pep since it doesn't alter any of the registry entries that startup (it's a service!)

    You install it..... Game over..

    Of course this does not rely specific use of bufferoverflows, but if it was using some buffer overflow attack, you would have a second opportunity when your app alerts you to some suspicious behaviour.

    As always, the very first step is that your signature based scanner fails to detect it AND you decide to execute it. If that happens you are dead. If this attack happens to use a buffer overflow attack, you will be covered if your product has capabilities to detect it.

    It's somewhat similar to a product which not only monitors exes running, but also detects suspicious behaviour like installation of drivers and hooks, so if you mistakenly allow some malware to run, you are given a chance to migate its effects since by default they don't have these rights.

    On the other hand, another possibility is someone attacking your system remotely, in which case, the relevant question is, is there a zero day attack involving a buffer flow attack with your favourite personal firewall?

    Because you are using a product that montors all processes that start, that is the only line of defense you have. Once that is passed, if it uses a Buffer overflow attack you are a goner.

    The answer is it is never enough. Some would say what *you* are running is too much for example.

    Not sure what you mean, but if you are thinking "if my judgement is always perfect in that i never allow a bad process to run thanks to PG ", I would say you are fairly safe.

    But i suppose that's the same thing you can also same even if you don't use PG but merely do safe hex :)

    I value PG for its ability to prevent process termination and to monitor global hooks and stop driver installion.

    Process launch monitoring is a plus, because it might help me detect some droppers trying to run, but I don't think it's the pancea that most people seem to be taking it to be, because at best it gives you a second chance to change your mind.

    If you are going to install program x, PG execute monitoring just means a few seconds wasted clicking yes.











    That is to catch the malware, before it can make use of a buffer overflow. If this is not possible then possibly Stack Defender or Active Shield are products to look at. My gut feel is that it is probably not necessary to look specifically at the buffer overflow problem, if adequate preventative measures are in place, but I am certainly open to comments.

    Rich[/QUOTE]
     
  19. Cluessnewbie

    Cluessnewbie Guest

    Actually I when to the site and read the document, looks like you can add protection to any executable at all. You need to edit the registry and add a new key ,but it isn't too hard.

    It plays well with PG and prevx, I'll now try it against the 2 bufferoverflow attacks that defeated PG and prevx.
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Interesting! I knew it was possible to do so, but never found out how. When I was looking around on the site I didn't see it. If you know right off, would you mind posting the URL?
     
  21. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Please do not link my tests now (beta version): each editor has to verify the result (in this case Diamondcs).
    I will link them in this forum when they're totally official.

    Regarding Buffer Overflow, you'll find very intesting link and demothat you can try by yourself here: https://www.wilderssecurity.com/showthread.php?t=62036

    Attack shield is just a demonstartion of Sanasecurity technology (PrimaryResponse) and does not cover spefically Buffer Overflow: it protects pricipally Windows services.

    Stack Defender is the most intersting product to protect a windows single system.
    There is OverflowGuard, BuuferShield and 2 others programs which are not really effective against B.O.

    PrevX Pro does not have a real and effective protection against B.O: it can just detects suspect behaviours used by basics worms (it was confirmed to me by StackDefender Team).
    There is many kinds of worms and infections vectors, but all worms does not use BufferOverflows.

    A protection against this attack is necessary for MSFT SQL Servers.

    Regards
     
  22. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Indeed, but it's free and it's functional, that's the main thing. I also very much like it's transparency, just install it and forget it. Very suitable for inexperienced users, unlike many of the apps we discuss around here. I will probably be installing this on my mom's computer :)

    Right, as stated earlier, it stops any abnormal behavior, up to and including buffer overflow. According to their little demo, it will actually stop at least some. I'm sure that it won't stop all, nothing will, but it would at least stop protected files from carrying out anything that the buffer overflow was intended to do.

    Hehe, you have a bad tendancy to be vague, my friend. In this case they are using "service" in the technical sense, not the "Background Windows Services" that we are used to talking about here, seen in services.msc.

    Attack Shield is by no means a complete defense, like previously mentioned: nothing is. I like it, however, because it at least leaves core system processes protected when Prevx or PG are disabled, thereby closing that gap at least a little, hardening your system will close that gap a little more as well as increase system performance. I don't think that many here will disagree that a layered approach is the way to go, and this makes a very nice layer.. their full product (PrimaryResponse) would probably be too much for me, however, and is marketed to businesses, so it's expensive.

    Interesting. I know they are planning on implementing a new methods of buffer overflow in the next version, it will be interesting to see how that goes.

    I look forward to it :)
     
  23. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Cluessnewbie, kareldjag, Notok,

    Thanks for all of the comments. They are all very helpful.

    Cluessnewbie brings up the very relevent point concerning: when does one know whether a third-party vendor is trustworthy and should be allowed to install a service? As long as PG is protecting against this eventuality (at this point I am assuming that DiamondCS is trustworthy and will remain so), then things are pretty safe. However, if I start installing all kinds of added layers of protection from vendors that I do not know - well it could be lights out pretty fast. Interesting problem for users and vendors alike - i.e. evaluating trustworthiness.

    For example, (and I bring this up strictly as an example, and I am not suggesting anything) is Security Stronghold (Active Shield) trustworthy? How has its trustworthiness been assessed.

    Rich
     
    Last edited: May 25, 2005
  24. StevieO

    StevieO Guest

    This might be useful, though i havn't tried it yet. Hopefully someone has and can comment on it.

    BufferShield

    The commercial version of BufferShield is the only product available for Microsoft platforms allowing the definition of a protection scope, specifying which applications or services should or should not be protected. Additionally the protection scope allows the exclusion of certain memory ranges that should be excluded. This is necessary because some applications actually generate dynamic code on the stack or heap and attempt to execute it afterwards, being detected by BufferShield as an attempted exploitation of a buffer overflow.

    BufferShield's key features:

    Detects code execution on the stack, default heap and dynamic heap

    Can terminate applications in question if a buffer overflow was detected

    Reports to the Windows-2000 event log in case of any detected overflows

    Allows the definition of a protection scope to either protect only defined applications or to exclude certain applications or memory ranges from being protected

    Opposed to the commercial version of BufferShield, protecting all running applications and services, the freely available version is only protecting the following applications:

    MS Internet Explorer

    Opera

    MS Outlook Express

    MS Outlook

    http://www.sys-manage.com/index10.htm


    StevieO
     
  25. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Notok, as you've perhaps noticed it on account of to my typo mistakes (sorry), i was in a hurry (Champion's ligue, glad to see that Liverpool is the winner ;) ).
    It's not a question of being vague or not.

    I've tested Attack Shield and i can't contest that it's an interesting product.
    IPS/HIPS has been released to reduce false positive on IDS, that's why they're often more easy to manage (like "install it and forget it").

    As i said, Attack Shield does not have an effective defense against BufferOverflows (it's not its principal goal).
    Here's a review which confirms it:
    http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=45607

    And here about Primary Response (more effective protection against B.O):
    http://www.securitypipeline.com/trends/showArticle.jhtml?articleID=19300068&pgno=5

    Regards
     
Loading...
Thread Status:
Not open for further replies.